AMENDMENTS TO THE CLAIMS: 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 

LISTING OF CLAIMS 

1.-64. (Cancelled) 

65. (Currently Amended) A method for detecting a substring of interest from a 
plurality of datagrams that arrives out-of-order, comprising: 

receiving a datagram, the datagram comprising a body substring and a 
header with an index; 

determining whether a preceding span exists in a span set; 

determining whether a succeeding span exists in said span set; 

inserting a new span into said span set when neither a preceding span nor 
a succeeding span exists, the new span corresponding to said datagram; 

replacing said preceding span with the datagram, when a preceding span 
exists but a succeeding span does not exist; 

replacing said succeeding span with the datagram, when a succeeding 
span exists but a preceding span does not exist; 

replacing said preceding span and said succeeding span with a join span 
comprising said datagram , said preceding span, and said succeeding span , 
when both a preceding span and a succeeding span exist; and 

applying an automaton having a list of substrings of interest to the body 
substring of said datagram to determine whether contents of said body substring 
match one of said substrings of interest. 

66. (New) The method of claim 65, wherein said body substring is forwarded, 
while parameters of said body substring are stored. 

67. (New) The method of claim 66, wherein said parameters comprise at 
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least one of: a state of said automaton, said index, a length of the body substring, 
or a prefix. 

68. (New) The method of claim 65, further comprising: 

determining whether said body substring is subsequently dropped by a 
target machine. 

69. (New) The method of claim 68, wherein if said body substring is 
subsequently dropped, then a connection for passing said body substring is 
reset. 

70. (New) The method of claim 69, wherein said connection is a TCP 
connection. 

71. (New) The method of claim 65, wherein said method for detecting a 
substring of interest is performed as a network monitoring function. 

72. (New) The method of claim 65, wherein said method for detecting a 
substring of interest is performed as an intrusion detection function. 

73. (New) The method of claim 65, wherein said method for detecting a 
substring of interest is performed as a firewall function. 

74. (New) The method of claim 65, wherein said method for detecting a 
substring of interest is performed as a routing function. 

75. (New) The method of claim 65, wherein said method for detecting a 
substring of interest is performed as a load balancing function. 

76. (New) The method of claim 65, wherein said method for detecting a 
substring of interest is performed as an anti-virus filtering function. 
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77. (New) The method of claim 65, wherein said method for detecting a 
substring of interest is performed as an anti-spam filtering function. 

78. (New) The method of claim 65, wherein said method for detecting a 
substring of interest is performed as a document control function. 

79. (New) The method of claim 65, wherein said method for detecting a 
substring of interest is performed as a web content filtering function. 

80. (New) The method of claim 65, wherein said method for detecting a 
substring of interest is performed as a virtual private network monitoring function. 

81. (New) The method of claim 65, wherein said method for detecting a 
substring of interest is performed as a storage area network security function. 

82. (New) A computer-readable medium having stored thereon a plurality of 
instructions, the plurality of instructions including instructions which, when 
executed by a processor, cause the processor to perform the steps of a method 
for detecting a substring of interest from a plurality of datagrams that arrives out- 
of-order, comprising: 

receiving a datagram, the datagram comprising a body substring and a 
header with an index; 

determining whether a preceding span exists in a span set; 

determining whether a succeeding span exists in said span set; 

inserting a new span into said span set when neither a preceding span nor 
a succeeding span exists, the new span corresponding to said datagram; 

replacing said preceding span with the datagram, when a preceding span 
exists but a succeeding span does not exist; 

replacing said succeeding span with the datagram, when a succeeding 
span exists but a preceding span does not exist; 
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replacing said preceding span and said succeeding span with a join span 
comprising said datagram, said preceding span, and said succeeding span, 
when both a preceding span and a succeeding span exist; and 

applying an automaton having a list of substrings of interest to the body 
substring of said datagram to determine whether contents of said body substring 
match one of said substrings of interest. 

83. (New) The computer-readable medium of claim 82, wherein said body 
substring is forwarded, while parameters of said body substring are stored. 

84. (New) The computer-readable medium of claim 83, wherein said 
parameters comprise at least one of: a state of said automaton, said index, a 
length of the body substring, or a prefix. 

85. (New) The computer-readable medium of claim 82, further comprising: 
determining whether said body substring is subsequently dropped by a 

target machine. 

86. (New) The computer-readable medium of claim 85, wherein if said body 
substring is subsequently dropped, then a connection for passing said body 
substring is reset. 

87. (New) The computer-readable medium of claim 86, wherein said 
connection is a TCP connection. 

88. (New) The computer-readable medium of claim 82, wherein said method 
for detecting a substring of interest is performed as a network monitoring 
function. 

89. (New) The computer-readable medium of claim 82, wherein said method 
for detecting a substring of interest is performed as an intrusion detection 
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function. 



90. (New) The computer-readable medium of claim 82, wherein said method 
for detecting a substring of interest is performed as a firewall function. 

91. (New) The computer-readable medium of claim 82, wherein said method 
for detecting a substring of interest is performed as a routing function. 

92. (New) The computer-readable medium of claim 82, wherein said method 
for detecting a substring of interest is performed as a load balancing function. 

93. (New) The computer-readable medium of claim 82, wherein said method 
for detecting a substring of interest is performed as an anti-virus filtering function. 

94. (New) The computer-readable medium of claim 82, wherein said method 
for detecting a substring of interest is performed as an anti-spam filtering 
function. 

95. (New) The computer-readable medium of claim 82, wherein said method 
for detecting a substring of interest is performed as a document control function. 

96. (New) The computer-readable medium of claim 82, wherein said method 
for detecting a substring of interest is performed as a web content filtering 
function. 

97. (New) The computer-readable medium of claim 82, wherein said method 
for detecting a substring of interest is performed as a virtual private network 
monitoring function. 

98. (New) The computer-readable medium of claim 82, wherein said method 
for detecting a substring of interest is performed as a storage area network 
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security function. 

99. (New) An apparatus for detecting a substring of interest from a plurality of 
datagrams that arrives out-of-order, comprising: 

means for receiving a datagram, the datagram comprising a body 
substring and a header with an index; 

means for determining whether a preceding span exists in a span set; 

means for determining whether a succeeding span exists in said span set; 

means for inserting a new span into said span set when neither a 
preceding span nor a succeeding span exists, the new span corresponding to 
said datagram; 

means for replacing said preceding span with the datagram, when a 
preceding span exists but a succeeding span does not exist; 

means for replacing said succeeding span with the datagram, when a 
succeeding span exists but a preceding span does not exist; 

means for replacing said preceding span and said succeeding span with a 
join span comprising said datagram, said preceding span, and said succeeding 
span, when both a preceding span and a succeeding span exist; and 

means for applying an automaton having a list of substrings of interest to 
the body substring of said datagram to determine whether contents of said body 
substring match one of said substrings of interest. 

1 00. (New) The apparatus of claim 99, further comprising: 
means for forwarding said body substring; and 
means for storing parameters of said body substring. 

101. (New) The apparatus of claim 100, wherein said parameters comprise at 
least one of: a state of said automaton, said index, a length of the body substring, 
or a prefix. 

1 02. (New) The apparatus of claim 99, further comprising: 
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means for determining whether said body substring is subsequently 
dropped by a target machine. 

103. (New) The apparatus of claim 102, further comprising: 

means for re-setting a connection for passing said body substring when 
said body substring is subsequently dropped. 

104. (New) The apparatus of claim 103, wherein said connection is a TCP 
connection. 

105. (New) The apparatus of claim 99, wherein said apparatus for detecting a 
substring of interest is implemented as a network monitoring system. 

106. (New) The apparatus of claim 99, wherein said apparatus for detecting a 
substring of interest is implemented as an intrusion detection system. 

107. (New) The apparatus of claim 99, wherein said apparatus for detecting a 
substring of interest is implemented as a firewall system. 

108. (New) The apparatus of claim 99, wherein said apparatus for detecting a 
substring of interest is implemented as a routing system. 

109. (New) The apparatus of claim 99, wherein said apparatus for detecting a 
substring of interest is implemented as a load balancing system. 

110. (New) The apparatus of claim 99, wherein said apparatus for detecting a 
substring of interest is implemented as an anti-virus filtering system. 



111. (New) The apparatus of claim 99, wherein said apparatus for detecting a 
substring of interest is implemented as an anti-spam filtering system. 



112. (New) The apparatus of claim 99, wherein said apparatus for detecting a 
substring of interest is implemented as a document control system. 

1 1 3. (New) The apparatus of claim 99, wherein said apparatus for detecting a 
substring of interest is implemented as a web content filtering system. 

114. (New) The apparatus of claim 99, wherein said apparatus for detecting a 
substring of interest is implemented as a virtual private network monitoring 
system. 

1 1 5. (New) The apparatus of claim 99, wherein said apparatus for detecting a 
substring of interest is implemented as a storage area network security system. 

116. (New) A method for detecting a substring of interest from a plurality of 
datagrams that arrives out-of-order, comprising: 

receiving a datagram, the datagram comprising a body substring and a 
header with an index; 

updating a span in a span set, in accordance with said datagram, wherein 
the updating comprises: 

determining whether a preceding span exists in said span set; 
determining whether a succeeding span exists in said span set; 

and 

forming a join span comprising said datagram and at least one of: 
said preceding span or said succeeding span; and 

applying an automaton having a list of substrings of interest to the body 
substring of said datagram to determine whether contents of said body substring 
match one of said substrings of interest. 



